[RADIATOR] random EAP authentication errors since 4.17

Heikki Vatiainen hvn at open.com.au
Wed Nov 30 16:45:46 UTC 2016

On 30.11.2016 18.02, Hartmaier Alexander wrote:

> Let me clarify our setup:
> EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
> populates
>     $context->{customer} = $customer;

Thanks, this clarifies the situation. You need to save information 
across resumed authentications.

> I assume that the PostAuthHook is also run for resumed sessions but
> EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
> $context contents and thus the failure of the PostAuthHook.

Correct. Certificate verification runs only during full TLS handshake. 
Handler's PostAuthHook runs always when Handler is finishing its work. 
It does not matter if the TLS handshake within an AuthBy was full or 

I'll get back to you about how to save custom information across resumed 
authentications. For more about what is saved now, see EAP.pm and 
eap_save_resume_context and its counterpart just below. When thinking 
about possible options would a hook work for you? Another possibly might 
be to automatically save suitably named context variables, for example 
$context->{custom_info} would be automatically saved and restored.

The reason for this change was to allow the user of State attribute with 
EAP authentication and more clearly separate information that is needed 
during one EAP authentication dialog from information that needs to be 
kept across resumed authentications.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.

More information about the radiator mailing list